IETF Logo Mail Archive

Re: [rtcweb] Consensus call regarding media security

Roman Shpount <roman@telurix.com> Thu, 29 March 2012 06:04 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C28221E8064 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 23:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.681
X-Spam-Level:
X-Spam-Status: No, score=-2.681 tagged_above=-999 required=5 tests=[AWL=-0.005, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k9-l+KOzy-py for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 23:04:58 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0DD1F21E8042 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:04:57 -0700 (PDT)
Received: by ggmi1 with SMTP id i1so1367489ggm.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:04:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=VCkPminWbw52ppjGvATGunMS0PEzRt+zK7uIfQQ+seI=; b=KKUqIRL62nrFA8U/6DcGKmssq1MnojgEwKvtDsPHQmP+mqxrPMbunmhiDiBzOFB4Dz NR24BG0GJS6CSKMuH7Ot91Vi3MKll9lOLSMxjRc4dtviaJst3c7YkhLUnttaaMs21L7P IFlxlr/VpMuOXkyJ4t7Gz87uSIdfiK1oISBYe8ff92OkMOrNXnSJi3bGwSgJG0QCRZoG PBqPygzEBScdXYIBa21P/72WfJYZCqD1rfQNeQKGqvnB7doBATryB0+ICKM3zF1PtRvJ 3apyDRN0l43aPX8XuigIkgsweOpAHumIg/1dkSncsBJPHSTVWwneoYM9pnuCqhgTtO4q s22A==
Received: by 10.68.193.231 with SMTP id hr7mr2897737pbc.44.1333001096034; Wed, 28 Mar 2012 23:04:56 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by mx.google.com with ESMTPS id o2sm4280069pbb.45.2012.03.28.23.04.54 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 28 Mar 2012 23:04:55 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so2972234pbb.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:04:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.221.10 with SMTP id qa10mr2898470pbc.139.1333001094439; Wed, 28 Mar 2012 23:04:54 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Wed, 28 Mar 2012 23:04:54 -0700 (PDT)
In-Reply-To: <CALiegfkmckSar175LDYouvPkp0Vm1QCKhmTuiGNnD62QTDhamg@mail.gmail.com>
References: <4F732531.2030208@ericsson.com> <CAD5OKxs6NHha2egNSTumEaHYJ0bB6qu_nfshmBM6dntx2n49HQ@mail.gmail.com> <CALiegfn4MZYb-qCnM62T7w4EgWqrC5baN+pAYBZF84kEA7Ko6A@mail.gmail.com> <CAD5OKxtDED1vSFrw4V9TKkUzdSSXNg+S_WBrxmnFo21hjJvqMA@mail.gmail.com> <CALiegfkmckSar175LDYouvPkp0Vm1QCKhmTuiGNnD62QTDhamg@mail.gmail.com>
Date: Thu, 29 Mar 2012 02:04:54 -0400
Message-ID: <CAD5OKxur4FKAw8PprjfxLQVekmOWGuQegqN02mHsP+Hr-k_UNg@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Iñaki Baz Castillo <ibc@aliax.net>
Content-Type: multipart/alternative; boundary="e89a8ff24801b821cb04bc5b8056"
X-Gm-Message-State: ALoCoQmN+E6P3d2S1/0TAB8zQ8qN13cqp0QUH8TZtIFQsHAq6SAD68MdiY2a0lVma9aO2LoK49D7
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Consensus call regarding media security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 06:04:59 -0000

On Wed, Mar 28, 2012 at 5:11 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:

> In all those scenarios you mention, using security (SRTP) is not *bad*, is
> it?
> The fact that in certain scenarios it could be not needed, it does not
> mean that "no security" is better than "security".
>
> I actually think that you are confusing encryption with security. No
encryption often means better security. Bot nets use encryption to
communicate, it does not mean they enable user security. In a lot of cases
ability for the user to check what exactly they are communicating and to
whom is security. As a security conscious person I do not want encrypted
communication from my computer or my network unless I know exactly who it
is going to. If I do not have to I would prefer my communications to be
unencrypted.


> RFC 3711 was created in 2004, 8 years ago!
>
> Which "new" application you mean if it's not capable of implementing a
> simple specification from 2004? how "new" is it? is it really new? or
> is it a "SIP voicemail server" made in 2002?
>
> Well let me list them: FreeSwitch, Asterisk, linphone, etc. All of those
use libsrtp. For all of them SRTP is broken. Not a single one of them
bothered to check or only recently detected problems (
https://issues.asterisk.org/jira/browse/ASTERISK-16665).


>
> Sorry but I still see *no* argument at all in favour of allowing plain
> RTP in WebRTC. And AFAIK there is already consensus about it: plain
> RTP is not allowed.
>
> I do not see an argument why RTP should not be allowed. I think you are
arguing we should require a feature (SRTP) for the sake of requiring a
feature.
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email